on 11-07-2011 01:58 PM
In this document we're walking through a configuration setting up BNG for IPoE and PPPoE. The Setup for this configuration is similar to the setup you can see in the YouTube video for an ip sessions demo.
Detailed description of how to set up the configuration and the options establishing PPPoE and IPoE sessions. Understanding the anatomy of a control policy language.
hostname A9K-BNG
radius-server host 3.0.0.38 auth-port 1645 acct-port 1646
!Radius-server definition with ip address and UDP ports it is going to !use.
key 7 045802150C2E
!Secret key for the radius communication
timeout 1
!Maximum time waiting for response
retransmit 1
!Maximum number of times you retransmit the request, after waiting <timeout> time.
!COA server definition
aaa server radius dynamic-author
port 1700
!COA port is standard 1700
client 3.0.0.1 vrf default server-key 7 13061E010803
client 10.86.1.49 vrf default server-key 7 14141B180F0B
!The clients from which we are going to accept a COA Response.
!Attribute definitions that we can reference for the nas-port
!building.
!”MY_AUTH” will take the mac address, circuit ID and remoteIDand
!append them together separated by hash signs. If one of the fields is
!not available, an empty string will be provided for that portion.
!example 0000.1111.2222##remoteid or 0000.2222.1111#circ#remote
!
aaa attribute format MY_AUTH
mac-address plus circuit-id plus remote-id separator #
!
aaa attribute format NAS_PORT_FORMAT
circuit-id plus remote-id separator .
! Nas-port computation for PPPoE(32) and if not pppoe then follow the
! global (non typed) logic
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU
!Set up the XR nas-port-id (attr87) for sessions following the nas-
!port format instructions above.
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
!Set up for AAA usage. Note that we don’t have “aaanew-model” in
!XR. Also “subscriber” is used for BNG. Method “PPP” is used for
!serial PPP.
aaa authorization subscriber default group radius
aaa authentication subscriber default group radius
!DHCP configuration
dhcp ipv4
!specify a profile name and define what method is used, relay, proxy
!or snooping.
profile AutoSelectGiaddr proxy
!Different classes may be defined. This is not necessarily the
!vendor class, but here we can check certain options in the discover
!to selectively set the helper address and giaddr. That last one
!will affect the pool we’re going to use on the dhcp server.
class HardPhone1
match option 60 hex 4861726450686F6E6531 mask 0
!the option 60 is vendor-class followed by a hex string. I chose it
!to match the “class” section from the line above, but that is not
!necessary. The mask defines which bytes are must match and don’t
!cares. Mask of 0 means full match.
helper-address vrf default 81.1.1.2 giaddr10.1.1.254
!
class HardPhone2
match option 60 hex 4861726450686F6E6532 mask 0
helper-address vrf default 81.1.1.2 giaddr172.28.15.254
!
relay information option
relay information policy replace
relay information option remote-id testme
relay information option allow-untrusted
! This configuration above defines the option 82 handling.
! Allow untrustedmeans that we accept dhcp discovers with a 0.0.0.0
! giaddr, which is normally the case when there is no relay between
! the client and the 9k.
Relay information Policy:
Case # | Received Packet Option-82 Suboptions | Configured Option-82 Suboptions | Forwarded Packet Option-82 Suboptions for Full-Option-82 keep | Forwarded Packet Option-82 Suboptions for Individual-Suboption keep | Forwarded Packet Option-82 Suboptions for replace | ||||||||||
1 | “rx-cid” | “rx-rid” | “in-rid” | vpn-id | “rx-cid” | “rx-rid” | “rx-cid” | “rx-rid” | vpn-id | “rx-cid” | “in-rid” | vpn-id | |||
2 | “rx-cid” | “in-rid” | vpn-id | “rx-cid” | “rx-cid” | “in-rid” | vpn-id | “rx-cid” | “in-rid” | vpn-id | |||||
3 | “in-rid” | vpn-id | “in-rid” | vpn-id | “in-rid” | vpn-id | “in-rid” | vpn-id |
! Define the interfaces and the attached profiles
interface Bundle-Ether100.2 proxy profile AutoSelectGiaddr
interface Bundle-Ether1001.2 proxy profile AutoSelectGiaddr
!
pppoe bba-group X
tag ppp-max-payload minimum 1200 maximum 2000
service selection disable
! PPPoE group definition. Currently there is limited service selection
!support (just matching on service name). The COS values for PPPoE
!control can be defined here and the processing/support for max-
!payload tag. In IOS you could configure the processing of vendor-tags
!and strip them selectively. In XR we always process the tags and we
!always strip them from a PADR
!IP address pool definition
pool vrf default ipv4 POOL
address-range 199.1.1.1 199.1.255.255
!
!The dynamic templates are like IOS virtual-templates. The base !configuration for each session is defined here. L3 features as well !as PPP specific parameters are defined here.
dynamic-template
type ppp TPL
ppp authentication chap
ppp ipcp dns 1.2.3.4 1.2.3.3
ppp ipcp peer-address pool POOL
ipv4 unnumbered Loopback1000
!
type ipsubscriberIPSUB
ipv4 unnumbered Loopback12
ipv4 access-group IPSUB_FAIL_ACL ingress
ipv4 access-group IPSUB_FAIL_ACL egress
!Few ACL definitions referenced in the radius profile, qos class-maps
!or in the dynamic template.
ipv4 access-list PERM_ALL
10 permit ipv4 any any
20 permit icmp any any
!
ipv4 access-list lab-video
20 permit udp any any eq 5544
30 permit udp host 49.1.1.2 any
!
ipv4 access-list IPSUB_FAIL_ACL
5 permit icmp any any
10 permit tcp any host 49.1.1.2 eqwww
15 permit tcp host 49.1.1.2 eqwww any
20 deny ipv4 any any
!QOS class-map used in COA parameterized QOS requests
!remember that with pQOS you can define the policy-map via RADIUS,
!however you need to define your class-maps locally in XR.
class-map match-any VIDEO
match access-group ipv4 lab-video
end-class-map
!
class-map match-any 3play-voip
match access-group ipv4 telnet
end-class-map
!These are the class-maps used later in the control policy. You can
!match on various aspects of the interface/session. Like username,
!domain. In this case we have simple class-maps that match on the
!protocol so we are doing to differentiate between PPP and IPsubs
!
class-map type control subscriber match-any PPP
match protocol ppp
end-class-map
!
class-map type control subscriber match-any DHCP
match protocol dhcpv4
end-class-map
!
!In this sample class-map we are taking the username and apply a
!separator switch on it as defined in the “format DOMAIN” attribute
!definition and see if that domain name matches “vrf_vpn”
class-map type control subscriber match-any matchdomain
match domain vrf_vpn format DOMAIN
end-class-map
!
!This is the most important part, the XR control Policy.
policy-map type control subscriber sub
event session-start match-first
!
!Events: during the session life time, various events are triggered. !In this case a session-start event we provide a handler for. This is
!the reception of a PADI for pppoe sessions or a dhcp discover for IP
!sessions.
!The match-first describes that we are only handling one class of the !event, and the class that we match first.
!This as opposed to match-all, which means that we will traverse all
!classes to see if they match and execute the actions defined
!underneath the class.
!
Event | What does it do or when is it triggered? |
session-start | when we get the first sign of life (for pppoe that is at PADR) |
session-activate | This is done at the authentication phase – i.e. when we’ve got the username/password (or challenge/response) (PPPoE ONLY) |
authentication-failure* | when we receive an access-reject from radius |
authentication-no-response | when the method list for authentication request does not return any response (success/reject) |
authorize-failure* | when we receive an access-reject from radius |
authorize-no-response | when the method list for authen or author does not return any response (success/reject) |
service-stop | when a service that is applied to the session is removed or stopped |
class type control subscriber CLASS do-until-failure
!
!CLASS: Underneath that event, we define the classes. In this example
!I created 2 classes to match specifically on DHCP and PPP sessions.
!I can have 1 control policy with 1 event, and then the class
!differentiator to determine what I want to do specifically/separately
!for both session types.
!
Do until? | What does it do? |
do-until-failure | Until we receive a failure (eg access reject or no radius response or feature application failure) We stop the execution. |
do-until-success | When we successfully executed the task we stop. |
do-all | Regardless of the success or failure all actions are executed |
!
10 activate dynamic-template TPL
!
!Activation of the dynamic template configuration. PPP will take the !LCP parameters and auth protocol from there.
!
!Class-actions:
!
event session-activate match-first
class type control subscriber CLASS do-until-failure
10 activate dynamic-template TPL
20 authenticate aaa list default
Note: Because authenticate uses the line username, it is generally useless on the session-start event, the authorize with which you compose the username based on mac/circuit id etc is very useful in both session start and activate
!
!
end-policy-map
!
policy-map type control subscriber ipsub
event session-start match-first
class type control subscriber DHCP do-until-failure
10 authorize aaa list default identifier source-address-mac password cisco
! Use the authorize here to compose the username to be sent to
! radius. In this case we use pw cisco as the password.
!
end-policy-map
! Define the bundle-ether master and configure for destination ip
! based loadbalancing, this so each subscriber hashes all its traffic ! onto one member only for accurate QOS
interface Bundle-Ether100
bundle load-balancing hash dst-ip
! The IP session interface must have an ip address. This in order to
! accept ip packets, the dhcpdiscover.
! If the unicast flag is set, like in MAC OSX or WXP (IOS dhcp client
! leaves the broadcast flag), then this address MUST be the same as
! the subnet for the ip sessions. If it is not the same we can’t
! unicast the offer.
interface Bundle-Ether100.2
ipv4 address 87.78.77.1 255.255.255.0
service-policy type control subscriber ipsub_fancy_auth
encapsulation dot1q 2
ipsubscriber ipv4 l2-connected
initiator dhcp
initiator unclassified-source
!
! Define the bundle sub interface for the right vlan, enable for PPPoE
! via the bba-group and attach the control policy
interface Bundle-Ether100.20
service-policy type control subscriber sub
pppoe enable bba-group X
encapsulation dot1q 20
! Loopback interface for ppp sessions
interface Loopback1000
ipv4 address 101.101.1.1 255.255.255.255
!
interface GigabitEthernet0/0/0/19
! Enable LACP on the bundle member and set it to bundle-e100
bundle id 100 mode active
load-interval 30
!
interface GigabitEthernet0/1/0/19
! Enable LACP on the bundle member and set it to bundle-e100
bundle id 100 mode active
load-interval 30
Show command verification
RP/0/RSP0/CPU0:A9K-BNG#show subscr ses all det
Mon Nov 7 17:20:27.701 EDT
Interface: Bundle-Ether100.2.ip5
Circuit ID:
Remote ID: testme
Type: IP: DHCP-trigger
IP Address: 172.28.15.1, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000044
Nas-Port: 67108896
Username: unknown
Subscriber Label: 0x00000044
Created: Thu Nov 3 16:26:33 2011
State: Activated
Authentication: unauthenticated
Access-interface: Bundle-Ether100.2
Policy Executed:
policy-map type control subscriber ipsub_fancy_auth
event Session-Start match-first [at Thu Nov 3 16:26:33 2011]
class type control subscriber DHCP do-until-failure [Succeeded]
5 activate dynamic-template IPSUB [Succeeded]
10 authorize aaa list default [Failed]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: None
Interface: Bundle-Ether100.100.pppoe2
Circuit ID: Unknown
Remote ID: Unknown
Type: PPPoE:PTA
IP Address: 199.1.1.2, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000145
Nas-Port: 67110466
Username: test
Subscriber Label: 0x00000145
Created: Thu Nov 3 16:28:10 2011
State: Activated
Authentication: authenticated
Access-interface: Bundle-Ether100.100
Policy Executed:
policy-map type control subscriber sub
event Session-Start match-first [at Thu Nov 3 16:28:10 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
event Session-Activate match-first [at Thu Nov 3 16:28:31 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
20 authenticate aaa list default [Succeeded]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: 0x500c0d24
1: service-type len= 4 value= Framed
2: sub-qos-policy-out len= 5 value= shape
Hi Andrew, this is potentially part of the problem:
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Service-Type [6] 6 Outbound[5]
in the access accept, you want to remove the service type outbound from your profile.
that is why the discover is not relayed to the dhcp server.
btw great capture of the relevant detail, generally i have to ask for outputs multiple times and it is nice to see everything in one query as it allows to make an assessment quicker...
xander
I removed service-type from accept, but situation remain the same:
RP/0/RSP0/CPU0:Aug 23 14:40:17.036 : radiusd[1100]: RADIUS: Send Access-Request to 10.101.10.2:1812 id 23, len 398
RP/0/RSP0/CPU0:Aug 23 14:40:17.036 : radiusd[1100]: RADIUS: authenticator 91 58 BF 2E C1 63 CA A2 - 6B 03 C5 CA F7 52 C4 9D
RP/0/RSP0/CPU0:Aug 23 14:40:17.036 : radiusd[1100]: RADIUS: Vendor-Specific [26] 41
RP/0/RSP0/CPU0:Aug 23 14:40:17.036 : radiusd[1100]: RADIUS: Vendor-Specific [26] 38
RP/0/RSP0/CPU0:Aug 23 14:40:17.036 : radiusd[1100]: RADIUS: Vendor-Specific [26] 24
RP/0/RSP0/CPU0:Aug 23 14:40:17.036 : radiusd[1100]: RADIUS: Vendor-Specific [26] 20
RP/0/RSP0/CPU0:Aug 23 14:40:17.036 : radiusd[1100]: RADIUS: Vendor-Specific [26] 34
RP/0/RSP0/CPU0:Aug 23 14:40:17.036 : radiusd[1100]: RADIUS: Vendor-Specific [26] 35
RP/0/RSP0/CPU0:Aug 23 14:40:17.036 : radiusd[1100]: RADIUS: Acct-Session-Id [44] 10 00000516
RP/0/RSP0/CPU0:Aug 23 14:40:17.036 : radiusd[1100]: RADIUS: NAS-Port [5] 6 2013265920
RP/0/RSP0/CPU0:Aug 23 14:40:17.036 : radiusd[1100]: RADIUS: NAS-Port-Id [87] 11 0/0/4/120
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: RADIUS: Vendor-Specific [26] 17
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: RADIUS: User-Name [1] 31 0006f4ec38aa2636:00040078000a
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: RADIUS: Service-Type [6] 6 Outbound[5]
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: RADIUS: User-Password [2] 18 *
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: RADIUS: Vendor-Specific [26] 28
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: RADIUS: NAS-Port-Type [61] 6 VIRTUAL_IPOEOVLAN[43]
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: RADIUS: Called-Station-Id [30] 14 00040078000a
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: RADIUS: Event-Timestamp [55] 6 1377258017
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: RADIUS: Calling-Station-Id [31] 18 0006f4ec38aa2636
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: RADIUS: NAS-IP-Address [4] 6 217.19.208.40
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: RADIUS: Nas-Identifier [32] 9 ISG-10G
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: Using global deadtime = 0 sec
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: Start timer thread rad_ident 23 remote_port 1812 remote_addr 0xa650a02, socket 1342478680 rctx 0x501c6f38
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: Got global deadtime 0
RP/0/RSP0/CPU0:Aug 23 14:40:17.037 : radiusd[1100]: Successfully sent packet and started timeout handler for rctx 0x501c6f38
RP/0/RSP0/CPU0:Aug 23 14:40:17.045 : radiusd[1100]: rctx found is 0x501c6f38
RP/0/RSP0/CPU0:Aug 23 14:40:17.045 : radiusd[1100]: Radius packet decryption complete with rc = 0
RP/0/RSP0/CPU0:Aug 23 14:40:17.045 : radiusd[1100]: RADIUS: Received from id 23 10.101.10.2:1812, Access-Accept, len 707
RP/0/RSP0/CPU0:Aug 23 14:40:17.045 : radiusd[1100]: RADIUS: authenticator FD 96 64 99 11 E5 C4 1F - 91 0E 16 BD 57 17 32 8F
RP/0/RSP0/CPU0:Aug 23 14:40:17.045 : radiusd[1100]: RADIUS: Vendor-Specific [26] 33
RP/0/RSP0/CPU0:Aug 23 14:40:17.045 : radiusd[1100]: RADIUS: Vendor-Specific [26] 35
RP/0/RSP0/CPU0:Aug 23 14:40:17.045 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44
RP/0/RSP0/CPU0:Aug 23 14:40:17.045 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44
RP/0/RSP0/CPU0:Aug 23 14:40:17.045 : radiusd[1100]: RADIUS: Vendor-Specific [26] 43
RP/0/RSP0/CPU0:Aug 23 14:40:17.045 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: RADIUS: Vendor-Specific [26] 43
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: RADIUS: Vendor-Specific [26] 43
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: RADIUS: Vendor-Specific [26] 58
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: RADIUS: Vendor-Specific [26] 35
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: RADIUS: Vendor-Specific [26] 30
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: RADIUS: Vendor-Specific [26] 36
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: RADIUS: Vendor-Specific [26] 36
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: RADIUS: Vendor-Specific [26] 31
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: Freeing server group transaction_id (7D00005F)
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: pack_length = 707 radius_len = 707
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: rad_nas_reply_to_client: Received response from id : 23,packet type 2
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: (rad_nas_reply_to_client) Successfully decoded the response No error: PASS
RP/0/RSP0/CPU0:Aug 23 14:40:17.046 : radiusd[1100]: (rad_nas_reply_to_client) Successfully stored the preferred server info
RP/0/RSP0/CPU0:Aug 23 14:40:17.047 : dhcpd[1068]: DHCPD: TP1984: Session create response received from DPM: sub_label 0x0 (0)
RP/0/RSP0/CPU0:Aug 23 14:40:17.048 : dhcpd[1068]: DHCPD: TP1225: Process packet event, client mode: PROXY
RP/0/RSP0/CPU0:Aug 23 14:40:17.048 : dhcpd[1068]: DHCPD PROXY: TP1904: Init handler called for chaddr 1cc1.dea0.2760 with event DROP-PACKET
RP/0/RSP0/CPU0:Aug 23 14:40:17.048 : dhcpd[1068]: DHCPD: dhcpd_proxy_os_inc_stat_multi stats ptr not null for vrf 60000000 matches l3intf
RP/0/RSP0/CPU0:Aug 23 14:40:17.048 : dhcpd[1068]: DHCPD PROXY: TP1961: DISCOVER from chaddr 1cc1.dea0.2760 in proxy mode dropped
RP/0/RSP0/CPU0:Aug 23 14:40:17.048 : dhcpd[1068]: DHCPD: dhcpd_proxy_process_event: Init handler success
Also I tried to login with bad username to receive reject from radius. I received it, session was created and I received IP.
sh subsc ses all det
Fri Aug 23 14:49:53.833 MEST
Interface: Bundle-Ether4.120.ip1025
Circuit ID: 000400780014
Remote ID: 0006f4ec38aa2636
Type: IP: DHCP-trigger
IPv4 State: Up, Fri Aug 23 14:49:35 2013
IPv4 Address: 192.168.1.2, VRF: default
Mac Address: 1cc1.dea0.2760
Account-Session Id: 00000521
Nas-Port: 2013265920
User name: unknown
Outer VLAN ID: 120
Subscriber Label: 0x00000060
Created: Fri Aug 23 14:49:34 2013
State: Activated
Authentication: unauthenticated
Access-interface: Bundle-Ether4.120
Policy Executed:
policy-map type control subscriber ISG
event Session-Start match-first [at Fri Aug 23 14:49:34 2013]
class type control subscriber IPoE do-until-failure [Succeeded]
10 activate dynamic-template FTTX [Succeeded]
20 authorize aaa list default [Succeeded]
event Author Failure match-first [at Fri Aug 23 14:49:34 2013]
class type control subscriber IPoE do-until-failure [Succeeded]
10 activate dynamic-template HTTP_FORCE_REDIRECT [Succeeded]
Session Accounting: disabled
Last COA request received: unavailable
I mean that may be something in radius accept message is wrong, that's why DHCP is dropped, but in debug I see "Successfully decoded the response No error: PASS"
P.S.: I use ASR9001 with IOS XR 4.3.1
yes the PASS just means that the radius packet decoded properly, but somehow the contents of the accept are not usable, that is why we are dropping the discover. so that is all understandable. I know for sure the service-type with whatever value will cause this issue, hence that as first suggestion.
I can't really tell what the values are from the VSA's that you are sending down.
Are you including an unnumbered?
Maybe you can paste the radius profile and I can potentially tell you what may be the culprit.
Or different approach:
Add only an ipv4:ipv4-unnumbered=<loopback something>
it should come up
and then slowly add the other atts you have, would still be interested in seein the complete profile though.
regards
xander
Hello,
I did the same when I had a problem with PPPoE. I removed all VSA's and started adding one by one.
It helped
It works! Without improper AV-pairs session comes up!
I have another question. Now we have ISG on ASR1002. And we assign to subscribers acces-lists from radius, like this:
Cisco-avpair="ip:outacl#10=den t a a eq 23"
Cisco-avpair="ip:outac#17=den t a a eq 80"
Cisco-avpair="ip:outacl#900=pe ip a a"
I red this document https://supportforums.cisco.com/docs/DOC-35624 and there were only these AV-pairs for ACL's:
ipv4:inacl=<in_acl_name>
ipv4:outacl=<out_acl_name>
So I understand that in IOS XR now we can add to subscruber only whole ACL's from RADIUS without be able to modificate rules in it. Or may be not?
ah yeah, very cool. indeed asr9k doesnt have parameterized ACL's yet.
you need to define the acl in XR and reference it via the 2 you mentioned or via filter-id attr 11.
xander
Hi again! I have another question for you.
from RADIUS I send ACL's to subscriber:
Cisco-avpair="ipv4:outacl=ACL-OUT"
Cisco-avpair="ipv4:outacl=ACL-IN"
But when I make this:
sh access-lists interface Bundle-Ether4.120.ip1287
Mon Aug 26 17:06:15.800 MEST
Input ACL : N/A
Output ACL : ACL-OUT
I see only ACL-OUT. Both of acl's are created in ASR. Why I don't see in ACL on subscriber??
By the way, redirect for unauth users works perfectly!!
There is a bug with that commadn Andrew that I recently came aware of.
Try to use:
show access-lists <acl_name> usage pfilterlocation 0/rSP0/CPU0
location is rsp for bundle sessions or the Lc for phy/sub termination.
output:
Input ACL : N/A
RP/0/RSP1/CPU0:A9K-BOTTOM#
ipv4 access-list BNG_test
10 permit icmp any any
30 permit ipv4 any any
Hi! Thanks for the advice!
Now I see this:
sh access-lists ACL-OUT usage pfilter location 0/rSP0/CPU0
Tue Aug 27 10:46:36.559 MEST
Interface : Bundle-Ether4.120.ip1747
Input ACL : N/A
Output ACL : ACL-OUT
sh access-lists ACL-IN usage pfilter location 0/rSP0/CPU0
Tue Aug 27 10:46:43.111 MEST
Interface : Bundle-Ether4.120.ip1747
Input Common-ACL : N/A ACL : ACL-IN
Output ACL : N/A
I tried to verify how rules works. ACL-IN works great, but ACL-OUT doesn't work.
ipv4 access-list ACL-IN
10 permit tcp any 10.200.208.0 0.0.15.255 eq smtp
20 deny tcp any any eq smtp
30 permit ipv4 any any
ipv4 access-list ACL-OUT
10 deny tcp any any eq telnet
20 deny tcp any any eq www
50 permit ipv4 any any
Even if I made in ACL-OUT this rule:
1 deny ipv4 any any
I still could browse internet and so on. May be I made mistake somewere or it's a bug??
Thank you for the help!!
Hello Xander!
I have another issue in addition to one I described above.
To some authenticated users I want to limit session time. The only way I found to do it is RADIUS attribute Session-Timeout.
I see this attribute in accept message:
RP/0/RSP0/CPU0:Aug 30 13:15:48.676 : radiusd[1100]: RADIUS: Received from id 130 10.101.10.2:1812, Access-Accept, len 93
RP/0/RSP0/CPU0:Aug 30 13:15:48.676 : radiusd[1100]: RADIUS: authenticator 2B 47 B1 90 C5 EB B4 A8 - 23 66 73 9E 25 20 4B D9
RP/0/RSP0/CPU0:Aug 30 13:15:48.676 : radiusd[1100]: RADIUS: Vendor-Specific [26] 26
RP/0/RSP0/CPU0:Aug 30 13:15:48.676 : radiusd[1100]: RADIUS: Vendor-Specific [26] 41
RP/0/RSP0/CPU0:Aug 30 13:15:48.676 : radiusd[1100]: RADIUS: Session-Timeout [27] 6 600
Example I have found in this documentation:
But I can't see this timeout with any cli command and when 600 sec passes, session still remain UP. Can you explain this or may be is another way to limit session time, when user is in authenticated state?
hi andrew, this attr is only possible with ppp sessions.
if you do a show subscr sess all internal you can see that attr being passed and applied to the session.
for ip sessions this is more "dangerous" as it retains the ip addr anyway, so what you probably better do for ip sessions
is to start a timer in the control policy and after that expiration apply http-redirect.
then the user will be notified that his session ended.
removing a session for ip; leaves the client with an addr, but no access as his subscriber context is removed; which is a good source for some calls to your help desk
cheers!
xander
Thanks! I'll try to make some rules in the control policy.
But what can you say about my previous post about out ACL's? They still doesnt't work on my BNG.
It remains the only issue in my BNG configuration. All other fetures works fine and next week I want to migrate from ASR1000 to 9001 BNG.
hi andrew, apologies I may have missed that question earlier.
try to disable unreachalbes on the template and access interface.
I think with show controller np counters npX loc 0/Y you'll see punts happening due to ACL_DENY or some similar count and since subscr interfaces are not registered in netio, it accidentally starts forwarding them in sw.
disabling unreach prevents this punt operation and the packet will dropped hard in the np.
let me know if that does(n't) work.
if that is the case I have a bug for it also that is to be fixed btw.
xander
Xander thank you! You helped me a lot!
Now my BNG is ready to be in production!
If I'll find any issues I'll again ask for help.
Super awesome Andrew!! Glad we made it work!!
thank you for your patience and working with me! and yes if anything else pops up! send a note and we'll get on it
cheers!
xander
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: